Security Recruiter – Daily Security Breach Notification.
Today Post from the Washington Post: http://voices.washingtonpost.com/securityfix/2009/12/jmtest.html?wprss=securityfix
La. firm sues Capital One after losing thousands in online bank fraud
By Brian Krebs | December 7, 2009; 4:15 PM ET
Categories: Small Business Victims | Tags: ach fraud, jm testShare This: E-Mail | Technorati | Del.icio.us | Digg | StumblePrevious: Phishers angling for Web site administrators
An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year.
In August, Security Fix wrote about the plight of Baton Rouge-based JM Test Systems, an electronics testing firm that in February lost more than $97,000 from two separate unauthorized bank transfers a week apart.
According to JM Test, Capital One has denied any responsibility for the losses. On Friday, JM Test filed suit in a Louisiana district court, alleging breach of contract and negligence by the bank. The firm says it is still out a total of $89,000, and that it has spent roughly $70,000 investigating and responding to the breaches.
“Capital One was not willing to make good on our losses or attempt any type of settlement,” said Happy McKnight, JM Test’s controller. “The banks are clearly taking a ‘Hey, don’t look at me!’ stance. It is so sad to wonder how many business failures this type of fraud has caused.”
Capital One declined to comment for this story.
The lawsuit is the latest to challenge whether banks are doing enough to help customers prevent losses when a virus infection, phishing attack or hacker break-in jeopardizes a company’s online banking credentials, said David Johnson, a digital media lawyer with the Los Angeles law firm Jeffer Mangels Butler & Marmaro LLP.
Johnson said that under the Uniform Commercial Code, banks generally are required to maintain “commercially reasonable” methods of providing security against unauthorized payment orders.” But he said just what constitutes “commercially reasonable” security practices has only recently been challenged, citing a recent court case in Illinoisexpected to go to trial soon in which a couple is suing their bank over $26,500 lost when cyber thieves stole the user name and password needed to access their home equity line of credit.
“The banks try to limit their responsibility by saying that customers have to monitor their accounts and notify the bank immediately if there is some kind of suspicious transfer,” Johnson said. “And it’s very rare that businesses are going to be that diligent in reviewing their online accounts.”
For its part, JM Test maintains that it alerted Capital One to the fraud on the same day as the fraudulent activity, and that the bank still failed to stop the fraud. The plaintiffs charge that Capital One violated its ownonline banking terms and conditions, which it said provide that once a Capitol One customer calls to report fraudulent activity, Capital One will close the affected customer’s existing account to prevent further unauthorized charges.
According to court documents, on Feb. 20, 2009 JM Test discovered that an unauthorized $45,640 wire transfer had been made against its account to an account at Alpha-Bank in Moscow. JM Test claims that it alerted Capital One by telephone of the fraudulent wire transfer that same day, and that the bank said it would investigate.
JM Test alleges that five days later, Capital One issued it a new user name and password. But then on March 2, the company found that thieves had broken into its online bank account yet again, this time initiating a batch of unauthorized payroll payments totaling $51,556.44. The money was sent to at least five different money mules, individuals who the attackers had apparently hired via online job Web sites to receive the transfers and then wire them out of the country.
The lawsuit further states that neither of the fraudulent transfers was initiated from an Internet address that JM Test had used previously to conduct online banking. In addition, court documents state that Capitol One advised JM Test on March 3 that it had blocked JM Test’s account, and that March 4 was the first day that it was contacted by a fraud investigator for the bank.
Businesses do not have the same legal protections against online banking fraud that consumers enjoy. Consumers generally have 60 days from receiving a bank statement to dispute any fraudulent charges, and typically those charges will be reversed. But organizations that experience fraud with their online banking accounts usually lose any money from unauthorized transactions that aren’t immediately reported to the bank, and even then there is no guarantee that all or any of the fraudulent transfers will be reversed or halted.
Cases such as JM Test’s may become more common. Many of the more than six dozen companies that I have interviewed over the past six months, and who have been vicitims of similiar fraud, said they are weighing whether to sue their banks. In September, Security Fixpublicized the case of Patco Construction, a firm in Maine that sued its bank after thieves stole the company’s online banking credentials and used them to transfer at least $588,000 to dozens of money mules throughout the United States.
“The banks cannot let this situation go on or people will start to lose confidence in them.” Johnson said. “If people start thinking they can lose real money when they deposit their money into the bank…that becomes a real business issue. If they’re going to survive, the banks are going to have to crack down on this type of fraud and stop it, and I think they know this.”
A copy of the petition filed with the Louisiana court is available here.
I should note that I finally got around to creating a separate category —Small Business Victims — that tracks this series of stories I’ve been writing about small businesses hit by cyber fraud. This piece marks the 25th story in that series.
By Brian Krebs | December 7, 2009; 4:15 PM ET
Categories: Small Business Victims | Tags: ach fraud, jm testShare This: E-Mail | Technorati | Del.icio.us | Digg | StumblePrevious: Phishers angling for Web site administrators
